Bitcoin Forum
December 02, 2016, 08:27:58 PM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: « 1 [2] 3 4 5 »  All
  Print  
Author Topic: Reports of MtGox being hacked ARE REAL (Fixed)  (Read 40180 times)
jrmithdobbs
Jr. Member
*
Offline Offline

Activity: 59


View Profile
June 18, 2011, 03:06:08 AM
 #21

I have independently confirmed that MtGox has a GIGANTIC CSRF vuln that lets me empty your account.

MagicalTux, you should know better than that. Honestly.

Also confirmed. This isn't acceptable.

1B8TSDzXdyTRX5eF77gWQoXujBaDtKFE6H
1480710478
Hero Member
*
Offline Offline

Posts: 1480710478

View Profile Personal Message (Offline)

Ignore
1480710478
Reply with quote  #2

1480710478
Report to moderator
1480710478
Hero Member
*
Offline Offline

Posts: 1480710478

View Profile Personal Message (Offline)

Ignore
1480710478
Reply with quote  #2

1480710478
Report to moderator
1480710478
Hero Member
*
Offline Offline

Posts: 1480710478

View Profile Personal Message (Offline)

Ignore
1480710478
Reply with quote  #2

1480710478
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1480710478
Hero Member
*
Offline Offline

Posts: 1480710478

View Profile Personal Message (Offline)

Ignore
1480710478
Reply with quote  #2

1480710478
Report to moderator
1480710478
Hero Member
*
Offline Offline

Posts: 1480710478

View Profile Personal Message (Offline)

Ignore
1480710478
Reply with quote  #2

1480710478
Report to moderator
lemonginger
Full Member
***
Offline Offline

Activity: 210


firstbits: 121vnq


View Profile
June 18, 2011, 03:11:50 AM
 #22

So the exploit has been fixed?
cunicula
Hero Member
*****
Offline Offline

Activity: 756


Stack-overflow Guru


View Profile WWW
June 18, 2011, 03:13:10 AM
 #23

Seems to me they should take the market offline until this is fixed.

Pretty sure Mt. Gox would have legal responsibility for coins/funds lost due to the exploit.

Allowing users who haven't read this thread to lose funds is negligent.


▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁
        AltCoinInternalExperts                Get Your Altcoin Promoted On Social Media       
▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔
Digigami
Sr. Member
****
Offline Offline

Activity: 460


View Profile
June 18, 2011, 03:13:46 AM
 #24

nvm..
malditonuke
Full Member
***
Offline Offline

Activity: 145


View Profile
June 18, 2011, 03:14:19 AM
 #25

So what this means...

If you go to another site with exploit code while you're logged into mtgox, this site can perform operations on your mtgox account.

To protect yourself, use a seperate browser for mtgox ONLY.

If you normally use firefox, install chrome and use that for mtgox.  If you use chrome, install firefox.

If you use both, install a seperate copy of firefox portable if you're on windows.

for chrome, you can open mtgox in incognito-mode and that will work too, right?
tcatm
Sr. Member
****
Offline Offline

Activity: 337


View Profile
June 18, 2011, 03:14:34 AM
 #26

Both bugs are fixed now. I have just verified it.
Herodes
Hero Member
*****
Offline Offline

Activity: 868


View Profile
June 18, 2011, 03:15:27 AM
 #27

I see some of you devs talking about releasing a script for the script kiddies that can be used to empty users mtGox accounts, only because you haven't been able to get hold of MagicalTux.

If you do a whois listing of mtgox.com you will find contact information, also a phone number.

Before you all go apeshit over this issue, be aware that mtGox is probably flooded with requests, so it can be difficult to get hold of them quickly.

But I agree this is not an acceptable situation, but deal with it as adults, and remember anyone who creates a tool that can be used for mischief can also be held responsible for this. It is better to try to get hold of MagicalTux or someone else at mtGox instead of trying to make the matter worse.

I feel sorry for anyone that have lost their funds, and hope everyone take proper security precations.

Edit: I see now it is claimed that the issues in question has been fixed. Good.
jrmithdobbs
Jr. Member
*
Offline Offline

Activity: 59


View Profile
June 18, 2011, 03:17:09 AM
 #28

Both bugs are fixed now. I have just verified it.

Seconded.

1B8TSDzXdyTRX5eF77gWQoXujBaDtKFE6H
jrmithdobbs
Jr. Member
*
Offline Offline

Activity: 59


View Profile
June 18, 2011, 03:18:32 AM
 #29

But I agree this is not an acceptable situation, but deal with it as adults, and remember anyone who creates a tool that can be used for mischief can also be held responsible for this.

He's been trying to get ahold of him for a week.

1B8TSDzXdyTRX5eF77gWQoXujBaDtKFE6H
DamienBlack
Jr. Member
*
Offline Offline

Activity: 56


View Profile
June 18, 2011, 03:19:32 AM
 #30

Now that we know the attack vector, can we search for bitcoin related websites that were taking advantage of it?

I trade bitcoin options at https://bitoption.org/ ... Join me.
I play poker at https://betco.in/ ... Join me.
Support the bitcoin economy, what do you do?
Tips: 1NfXhiTFEdKQTdLy49s6DYAP1K7MeFWyao
Herodes
Hero Member
*****
Offline Offline

Activity: 868


View Profile
June 18, 2011, 03:21:03 AM
 #31

Now that we know the attack vector, can we search for bitcoin related websites that were taking advantage of it?

Yess, you can start with the buttcoins website, it just advertised for a wallet stealing site.
REF
Hero Member
*****
Offline Offline

Activity: 526


View Profile
June 18, 2011, 03:23:36 AM
 #32

and today was my first time using mtgox.... good thing i didnt want i needed to and took everything out once i finished. I even hit log out which i almost never do. Seems like some admin has removed this from the news. Good no need to cause panic over something which has been fixed.
jrmithdobbs
Jr. Member
*
Offline Offline

Activity: 59


View Profile
June 18, 2011, 03:26:54 AM
 #33

Now that we know the attack vector, can we search for bitcoin related websites that were taking advantage of it?

Yess, you can start with the buttcoins website, it just advertised for a wallet stealing site.

walletinspector.info has once again been replaced by a static png image. They tried to re-implement it as a "funny" javascript-only form. Linode's abuse department didn't find my pointing this out humorous. The original site before ~00:00 CST did really steal wallets and the owner tried to play it off as a harmless prank to avoid service termination.

I'm still slightly disappointed that service was not outright canceled once it was discovered the authorized user of that VPS was in fact responsible for said site and that it wasn't due to a compromise.

At least it's not harmful, for now.

1B8TSDzXdyTRX5eF77gWQoXujBaDtKFE6H
bodhipraxis
Jr. Member
*
Offline Offline

Activity: 56


View Profile
June 18, 2011, 03:27:11 AM
 #34

Both bugs are fixed now. I have just verified it.

until 5 minutes ago, the following banner appeared on bitcoincharts.com:

done
Jr. Member
*
Offline Offline

Activity: 56


View Profile
June 18, 2011, 03:29:20 AM
 #35

sounds like everything is safer then ever. excellent job guys.
Serge
Legendary
*
Offline Offline

Activity: 1050


View Profile
June 18, 2011, 03:37:37 AM
 #36

So they are taking my cookies? NOZ! Angry

Basically, when you visit their site they secretly load an iframe that contains mtgox.com. The URL of the iframe points to an XSS hole, which injects Javascript to send document.cookie (which stores your session info) to a site they own. They can then put the cookie data into their browser, and assume your session and log into mtgox.

I don't know this specific exploit but that is how it generally works.

Nope.avi.
CSRF != XSS.

XSS = put my javascript on your site

CSRF = put a form on my site that POSTs to your site, for added fun auto-submit it with JavaScript

how can this be dealt on a client side besides what's been mentioned above, is there a method to detect/disable both vulnerabilities without turning off cookies and js?
Serge
Legendary
*
Offline Offline

Activity: 1050


View Profile
June 18, 2011, 03:43:50 AM
 #37

were there any other sites that been exploited with these things in the past?

in my understanding any web site is vulnerable to such attack? is this correct?
theymos
Administrator
Legendary
*
Online Online

Activity: 2492


View Profile
June 18, 2011, 03:48:45 AM
 #38

in my understanding any web site is vulnerable to such attack? is this correct?

Not correctly-designed ones.

(I don't blame MagicalTux, since he didn't write the code.)

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
Serge
Legendary
*
Offline Offline

Activity: 1050


View Profile
June 18, 2011, 03:51:05 AM
 #39

were there any other sites that been exploited with these things in the past?

in my understanding any web site is vulnerable to such attack? is this correct?

Sorry for the OT post, but I couldn't help myself.

Watch how Bitcoin bring computer security to the masses. Just another undiscovered benefit.

+1, thought exactly the same thing.
Serge
Legendary
*
Offline Offline

Activity: 1050


View Profile
June 18, 2011, 03:53:43 AM
 #40

in my understanding any web site is vulnerable to such attack? is this correct?

Not correctly-designed ones.

(I don't blame MagicalTux, since he didn't write the code.)

Could you or anyone please point me where one can read how it can be dealt with on a server side?
Pages: « 1 [2] 3 4 5 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!